From: Daniel J Walsh <dwalsh@redhat.com>
To: selinux@tycho.nsa.gov
Subject: Re: init problem
Date: Sun, 07 Mar 2010 07:42:47 -0500 [thread overview]
Message-ID: <4B939F47.7050704@redhat.com> (raw)
In-Reply-To: <20100307101505.GA3587@myhost.felk.cvut.cz>
[-- Attachment #1: Type: text/plain, Size: 1673 bytes --]
On 03/07/2010 05:15 AM, Michal Svoboda wrote:
> Hello,
>
> I just tried to boot a selinux installation in the plain old way (ie.
> without initramfs) and it seems there is a bug in the init mechanism.
> Sysvinit has a
>
> #ifdef WITH_SELINUX
> if (getenv("SELINUX_INIT") == NULL&& !is_selinux_enabled()) {
> putenv("SELINUX_INIT=YES");
> if (selinux_init_load_policy(&enforce) == 0 ) {
> execv(myname, argv);
>
> whereas the is_selinux_enabled man page says "returns 1 if SELinux is
> running or 0 if it is not.".
>
> The problem is that init is the first process and at that very early
> point neither /selinux nor /proc is mounted. The function uses these to
> determine the state of things and if it can't it returns a -1, which is
> an undocumented value and thus a value not accounted for.
>
> So I think that either is_selinux_enabled should return 0 if it can't
> tell (or use some other mechanism to tell), or -1 should be documented
> in the man page and the sysvinit code should be changed to read
>
> if (getenv("SELINUX_INIT") == NULL&& (0 == is_selinux_enabled())) {
> ^^^^
>
> Michal Svoboda
>
man is_selinux_enabled()
...
is_selinux_enabled returns 1 if SELinux is running or 0 if it
is not.
May change soon.
...
russell@coker.com.au 1 January 2004
is_selinux_enabled(3)
I guess it depends on your definition of soon.
/usr/include/selinux/selinux.h has
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if
we get an error. */
extern int is_selinux_enabled(void);
Attached patch to fix man page.
[-- Attachment #2: libselinux-manpage.patch --]
[-- Type: text/plain, Size: 814 bytes --]
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_selinux_enabled.3 libselinux-2.0.92/man/man3/is_selinux_enabled.3
--- nsalibselinux/man/man3/is_selinux_enabled.3 2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.92/man/man3/is_selinux_enabled.3 2010-03-07 07:40:57.000000000 -0500
@@ -1,4 +1,4 @@
-.TH "is_selinux_enabled" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
is_selinux_enabled \- check whether SELinux is enabled
@@ -14,6 +14,7 @@
.SH "DESCRIPTION"
.B is_selinux_enabled
returns 1 if SELinux is running or 0 if it is not.
+On error, \-1 is returned.
.B is_selinux_mls_enabled
returns 1 if SELinux is running in MLS mode or 0 if it is not.
next prev parent reply other threads:[~2010-03-07 12:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-07 10:15 init problem Michal Svoboda
2010-03-07 12:42 ` Daniel J Walsh [this message]
2010-03-11 19:20 ` Michal Svoboda
-- strict thread matches above, loose matches on Subject: below --
2002-06-24 15:15 somshekar chandrashekar kadam
2002-06-24 15:37 ` Alex Zeffertt
2002-06-24 17:53 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B939F47.7050704@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.